Security vulnerabilities in your home router have been the story for years, with the responsibility being placed at the feet of users to keep their router firmware updated. But a damning report by Fraunhofer says that router manufacturers themselves have taken years to issue patches, with potentially dozens of critical vulnerabilities lurking within older routers.
The June report by Fraunhofer-Institut fur Kommunikation (FKIE) extracted firmware images from routers made by Asus, AVM, D-Link, Linksys, Netgear, TP-Link, and Zyxel—127 in all. The report (as noted by ZDNet) compared the firmware images to known vulnerabilities and exploit mitigation techniques, so that even if a vulnerability was exposed, the design of the router could mitigate it.
No matter how you slice it, Fraunhofer’s study pointed out basic lapses in security across several aspects. At the most basic level, 46 routers didn’t receive any updates at all in the last year. Many used outdated Linux kernels with their own, known vulnerabilities. Fifty routers used hard-coded credentials, where a known username and password was encoded into the router as a default credential that asked the user to change it—but would still be there, accessible, if they did not.
FKIE could not find a single router without flaws. Nor could the institute name a single router vendor that avoided the security issues.
“AVM does [a] better job than the other vendors regarding most aspects,” the report concluded. “Asus and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link, and Zyxel.” We contacted Belkin (Linksys) and D-Link, two vendors named in the report, for comment, but didn't back from D-Link. Belkin's comment is at the end of this story.
“In conclusion the update policy of router vendors is far behind the standards as we know it from desktop or server operating systems,” FKIE said elsewhere in the report. “However, routers are exposed to the internet 24 hours a day leading to an even higher risk of malware infection.”
Fraunhofer broke down how router vendors have fallen short into several categories.
Days since the last firmware release: Although 81 routers were updated in the last 365 days before the FKIE gathered its results (March 27, 2019 to Match 27, 2020) the average number of days to the prior update, across all devices, was 378. FKIE said 27 of the devices had not been updated within two years, with the absolute worst stretching to 1,969 days—more then five years.
Asus, AVM, and Netgear issued updates for all of their devices within a year and a half, at least. By comparison, most antivirus programs issue updates at least daily.
Age of the OS: Most routers run Linux, an open-source software model that offers researchers the ability to examine the basic Linux kernel code and apply patches. When the kernel itself is outdated, however, fundamental known vulnerabilities in the OS are ripe for exploitation. FKIE used the open-source Firmware Analysis and Comparison Tool (FACT) to extract the router firmware, finding that a third of the routers ran on top of the 2.6.36 Linux kernel, an older version. The last security update for kernel version 2.6.36 was provided nine years ago, the study found.
Critical vulnerabilities in the tested routers abounded. The average number of critical vulnerabilities found for each router was 53, with even the best routers subject to 21 critical vulnerabilities (there were a whopping 348 high-rated vulnerabilities, too).
Exploit mitigation: Routers can be built to protect their kernel using a variety of exploit mitigation techniques, including the non-executable bit (NX) to mark a region of memory as non-executable. This was a common way of protecting the router, but FKIE found that the usage of exploit mitigation techniques was rare.
Private keys: “We want to make it absolutely clear that there is no good reason to publish a private key, because a published private key does not provide any security at all!” FKIE wrote. Publishing the private cryptographic key in the firmware allows an attacker to impersonate the device itself and do “man in the middle” attacks, an exploit that tries to fool the user’s PC and the server into believing that the attacker is the trusted router.
FKIE found that at least five private keys are published per firmware image. The Netgear R6800 provides a total number of 13 private keys in a single device. AVM was the only vendor FKIE found that did not publish private keys.
Hard-coded login credentials: You may already be familiar with “hard-coded” credentials: a router that uses “admin” and “password” as its default credentials. While that makes it easy to recover a lost password, it also makes it extremely easy for an attacker to take over your router. “Furthermore, if the user cannot change a password, you might get a feeling that the password is related to a backdoor,” FKIE wrote, implying that hard-coding credentials could have been added to allow monitoring of your device.
“The good news is that more than 60% of the router firmware images do not have hard-coded login credentials,” FKIE wrote. “The bad news is that 50 routers do provide hard-coded credentials. Sixteen routers have well known or easy crackable credentials.”
FKIE’s report doesn’t suggest choosing an open-source firmware replacement for your router, although that option is certainly available. Unfortunately, some of the firmware options are no longer maintained, or only work on a subset of (older) routers. It’s disappointing that the easiest route for criminals to penetrate your home network appears to be—not your PC, or your operating system—but the router you’re using to connect to the rest of the world.
Belkin/Linksys returned our request for comment on July 21, fifteen days after we originally published our story. "FKIE’s report, which states that their tool may be prone to both false positive and false negative results, relies solely on static firmware analysis and doesn’t provide any specific security vulnerabilities or exploits for any of the devices they tested," the statement said in part.
Linksys advises its customers to take precautions such as making sure automatic firmware updates are enabled (if available), to change the default password, and set up a guest network for all visitors.
"Linksys relies on 3 prong strategy for security audits of our products which are: penetration testing (both internal and 3rd party), source code scanning, and a public vulnerability disclosure program," the company said in a statement. "Linksys takes security seriously and provides firmware updates to our active products with known vulnerabilities either reported to us by through our disclosure program or discovered internally."
This story was updated on July 21 with additional comment from Belkin/Linksys.